Tor logo

In the past week, we decided to enhance the protection we offer via our Anonymous Networks target, and discussed the use of VPN and Tor to bypass network security. Up until today, we primarily only blocked Tor exit nodes. However, we decided that this target should not only block Exit nodes, but also Guard and Middle relays. Here, we explain how TOR works and what changes were made to the target.

So, What's Tor Anyway?

Tor (an acronym derived from the original software project name – “The Onion Router”) is a network based on volunteer operated servers. Tor uses this network to create virtual tunnels through its relays in order to obfuscate the connection between a client and server. This method of connection allows the user to enjoy virtual anonymity as the data travels through different relays, without revealing the original user. The endpoint site thinks the request came from the Tor exit node, and the client thinks the returned data came from the Tor Guard Relay.

Ok, So How Does It Work?

In order to understand Tor, we need to understand relays (also called nodes). Tor uses an array of relays to safeguard the anonymity of the user. As a simplified explanation of the process demonstrated in (Figure 1):

Figure 1 - Tor Network

Let’s assume a user is using the Tor network to send data. The user sends that data to a relay called the Guard Relay (or, Entry Node). These relays are the steppingstone in to the Tor network. The relay peels the outer layer of encryption and forwards the packet without itself knowing if it received the data from the origin. (Or from just another relay in the chain) The second relay to receive the data is called a Middle Relay, which again, peels the outer layer and sends the data to the next relay. This brings us to the final step, the Exit Relay. (or, Exit Node) The final relay peels the last layer and sends the data to its intended receiver as if it is the original sender. However, it is important to understand the actual wrapping of the data is being done at the point of origin and is only peeled as it moves along the relay path.

What's Being Blocked?

As we mentioned, all encryption is done at the point of origin. This means that the origin must have a way to know how to contact these relays in the first place, thus comes The Consensus. Making a long story short, The Consensus is a list of all the Tor relays decided by and published by Tor’s own Directory Authorities (DAs – Figure 2). The DAs maintain the status of the entire Tor network at any given moment. This list is open to all and aids us in blocking Tor relays.

Figure 2 - A list of Tor Directory Authorities (Source - https://atlas.torproject.org)

So, All of Tor is Blocked Now?

Well, no, the key word here is: Bridges. Bridges are in fact unpublished Guard Relays and they exist exactly for that purpose, to always allow a way to connect to the Tor network. (and in cases, of oppressive regimes, this is a good thing) A Bridge allows a user to connect to the Tor network, even if all Relays are blocked. Bridges are maintained by one of the 10 DAs and can be acquired by using either email or the official Tor Bridge website.

For more information on ThreatSTOP or to try us out for a free trial, visit us here.